WHOIS Lookup can be used to find out who owns an IP address and who owns a domain name. In most cases, you are interested in knowing who owns an IP address that is visiting your site or is engaged in malicious activity on your site.

Basic use of WHOIS

To use WHOIS in Wordfence, simply enter a domain name like example.com and hit the button to find out who the owner is of that domain name. You can see when the domain name was registered, when it expires, who the registered owner is, and also one or more contact email addresses.

Wordfence tries to be helpful by making the email addresses and other items clickable in the response to save you work.

Now try entering an IP address like 8.8.8.8 and you will see which network that IP address is part of, who owns the IP address, and who to contact if you are seeing malicious activity originate from that IP address. In this case, the contact email is “arin-contact@google.com” and so if that IP address attacks your website, you can just send “arin-contact@google.com” an email telling them to stop attacking your website, or (and this is more likely) that their server has been hacked and someone is using it to attack your site.

How to block Networks using WHOIS

Sometimes you will not just receive attacks from a single IP address like 8.8.8.8 (for example). You might receive attacks from 8.8.8.9 and 8.8.8.10 and a few other sequential IP addresses or IP addresses that are close together in the address space. In this case, you want to block an entire network and all IP addresses on that network from accessing your site. But you might not be sure what the range of addresses in the network is.

Wordfence makes this really easy by giving you a way to find out which network an IP address is on. When you do a lookup, Wordfence tells you that the range of addresses in this network are 8.8.8.0 to 8.8.8.255 and it gives you a helpful link that you can click on to be able to block that network. It also tells you how many addresses are in that network and in this case it is 256 addresses.

If you click a network that has been hot-linked in the WHOIS results then it takes you directly to Wordfence “Blocking” page and puts the IP address range you clicked on in the range field. Now all you have to do is enter the reason why you are blocking the network and click the button to save the blocking rule.

Note that when you see the results of a WHOIS query for an IP address, you will often see multiple networks listed that the IP address belongs to. In general, you want to pick the smallest network shown. That is why we show you the number of IP addresses in each network to help you quickly select the smallest block of IP addresses to block. When looking at the WHOIS results page for an IP address, scroll down because often the smaller block of IP addresses that defines a network the IP address belongs to is in the lower part of the WHOIS results.

How to block networks on the Live Traffic page using WHOIS and Blocking

It gets even easier. Lets say your website is under attack and you’re seeing the attack in Wordfence Live Traffic. You see several IP addresses attacking you that start with (and this is just an example) 9.9.9.9 and 9.9.9.10 and 9.9.9.14 and 9.9.9.20. They all appear fairly close together. You see a link in your live traffic for each visit titled “Run a WHOIS on 9.9.9.10”.

So you click the link on one of the visits in Live Traffic to do a Whois on the IP address. You see the results and you see the networks that the IP address belongs to. You then click on the smallest network (with the least number of IP addresses) in the list and are taken to the blocking page.

You then enter the reason you’re blocking this network to remind yourself why the block exists. You hit the button to save the block and you’re done. You’ve stopped the attack in it’s tracks with three clicks and blocked an entire malicious network.